Mitigating the threat of Spectre & Meltdown on Mobile Devices

By Marco Nielsen – VP Managed Mobility Services, Stratix

Security Vulnerabilities affecting Mobile CPUs

One of the largest, and most far-reaching security vulnerabilities were announced and we believe it is one which will impact us far into the future as legacy devices using these affected CPUs are everywhere, including in commonly-used mobile devices.

As these are CPUs affected there is no permanent “fix” to this problem, only mitigating steps which must be taken to ensure that rogue software is not able to exploit these devices.

In an attempt to simplify life for many IT administrators and staff now embarking on the messy task to sort out how to mitigate against these risks, we have gathered some of the important information now available and will keep it updated in the days and weeks ahead.

First, an overview of the vulnerabilities is important. Both of these hardware-based bugs allow software to steal data which is currently being processed on a computer. According to researchers studying the flaws, “while programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.”[1]

What is it? “Spectre” – Variant 1 & 2

Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or “bounds check bypass,” and CVE-2017-5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call. Spectre breaks down the isolation between different programs allowing one program to steal information from another. Vendors are stating that this may be harder and more difficult to exploit short term, although Apple is stating it can be potentially exploited in JavaScript running in a web browser. Reports also state this could be the most challenging of the two vulnerabilities to patch.

What is it? “Meltdown” – Variant 3

Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory which is typically the protected part of an operating system. It works by breaking down the most fundamental isolation between applications running on a device and the operating system thereby allowing a rogue program to access the memory, and thus the secrets or other programs and the operating system. Most vendors are speculating that this will be easier to exploit short term, thus higher risk.

What to do? Stratix can help you with this problem

Stratix can assist with this security liability in your mobile environment by providing support to your mobile admins and users and can enable you to have a more secure business environment to protect your critical data due to these new risks.

Specific Stratix Managed Services include:

Consulting Services– Stratix personnel, can help you understand if your devices are under risk and what mitigation steps could be taken, short term and long term.

Support Services – Stratix’ trained mobile operations center personnel can assist end-users to perform the proper upgrades on devices and software as required.

Logistics Services– Stratix’s Lifecycle Management services can assist in upgrading devices and ensuring your mobile devices are properly and securing updated to the required version levels with all the correct software.

MDM / EMM Management Services – Stratix’ MDM / EMM personnel can assist with your MDM/EMM tools to help isolate at-risk devices, and ensure the proper steps are being taken to install all patches.

Please contact us for additional information or to schedule an initial call with one of our mobility specialists.

——————————————————————–

Status Table of Affected Devices

——————————————————————–

DownloadThe Status Table for more background information. This document is a table with many of the common software and devices found with our customers and provides a good overview status.

Please note: Stratix is not responsible for any errors or false statements made on the individual vendors’ web pages, or mistakes made in the table referenced above. We will be updating this table regularly as additional information is available.